CN103067411B - Prevent the DoS attack method and apparatus in DS-Lite networking - Google Patents
Prevent the DoS attack method and apparatus in DS-Lite networking Download PDFInfo
- Publication number
- CN103067411B CN103067411B CN201310026178.9A CN201310026178A CN103067411B CN 103067411 B CN103067411 B CN 103067411B CN 201310026178 A CN201310026178 A CN 201310026178A CN 103067411 B CN103067411 B CN 103067411B
- Authority
- CN
- China
- Prior art keywords
- message
- ipv6
- ipv6 message
- address
- aftr
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application provides the DoS attack method and apparatus prevented in DS-Lite networking.In the method, when AFTR receives the IPv6 message from B4, not directly this IPv6 message decapsulation is NAT and is forwarded, but by and B4 between the authenticity of message interaction to B4 verify, when being only proved to be successful, just the IPv6 message decapsulation received be NAT and forwarded, which avoid AFTR and suffer DoS attack.
Description
Technical field
The application relates to the network communications technology, particularly prevents denial of service (DoS:DenialofService) attack method in two stack reduction techniques (DS-Lite:Dual-StackLite) networking and device.
Background technology
Global IPv 6 commercial network is formally enabled, and later IPv6 network can get more and more, and replaces the backbone network that existing IPv4 network becomes the Internet at last.But for many reasons such as cost, technical limitations, will exist in considerable time with the internet host of IPv4 address provision service at present, therefore Virtual network operator must possess the ability for providing communication service between the IPv4 isolated island in IPv6 network.
IPv4overIPv6 tunnel can for providing communication service between the IPv4 isolated island in IPv6 network, but for ensureing the communication service in IPv6 network between IPv4 isolated island, this needs all must set up IPv4overIPv6 tunnel between any two IPv4 isolated islands, specifically as shown in Figure 1.This can cause, and networking is complicated and autgmentability is poor, higher for maintenance cost operator, and must use public network IP v4 address between IPv4 isolated island, and under this reality exhausted in public network IP v4 address, the application restriction of this networking is very large.
Above-mentionedly between IPv4 isolated island, set up the problems brought in IPv4overIPv6 tunnel for solving, DS-Lite agreement is arisen at the historic moment, and it gets up tunneling technique and network address translation (nat) combine with technique.Fig. 2 shows the networking schematic diagram using DS-Lite agreement.Below for ease of describing, be called for short DS-Lite networking by using the networking of DS-Lite agreement.
In DS-Lite networking, operator end administration's NAT router (AFTR:AddressFamilyTransitionRouter), the multiple basic bridge joint broadband elements (B4:BasicBridgingBroadBand) of user's sidepiece administration, Fig. 2 only illustrates following two B4:B4_1 and B4_2, the client (Client) that arbitrary B4 connects uses private network IPv4 address, the IPv4 address that the Client that different B4 connects uses can be overlapping, set up IPv4overIPv6 tunnel between AFTR and arbitrary B4, use IPv6 address to communicate.
Access public network IP v4 main frame for the Client1 being connected to B4_1 shown in Fig. 2 below, describe whole browsing process by Fig. 3:
In figure 3, the Client1 being connected to B4_1 first initiates the IPv4 message of access public network IP v4 main frame to B4_1;
When B4_1 receives the IPv4 message of Client1 initiation that it connects, to this IPv4 message encapsulation IPv6 heading, wherein, in the IPv6 heading of encapsulation, carry the IPv6 address of B4_1.In addition, for ease of describing, the IPv4 message this being encapsulated IPv6 heading is here called IPv6 message.
Afterwards, B4_1 is by sending with the IPv4overIPv6 tunnel between AFTR the AFTR that IPv6 message is connected to it.
After AFTR receives the IPv6 message from B4_1, to this IPv6 message decapsulation, obtain and record the IPv6 address of the B4_1 that IPv6 heading carries in this IPv6 message, take out the IPv4 message of internal layer, NAT conversion is carried out to this IPv4 message, namely the source IP address of this IPv4 message (this source IP address essence is the IP address of Client1) correspondence is replaced with the IP address of public network, be dealt into public network IP v4 main frame by IPv4 network.
When public network IP v4 main frame receives the message from AFTR, return corresponding IPv4 response message by IPv4 network.
When the IPv4 response message that public network IP v4 main frame returns arrives AFTR, AFTR first carries out NAT conversion to the IPv4 response message of this reception, namely the object IP address of this IPv4 response message is replaced with the IP address (this private network IP address essence is the IP address of Client1) of private network, then before utilizing, the IPv6 address of the B4_1 of record is to this IPv4 response message encapsulation IPv6 heading, form IPv6 message, by sending this IPv6 message to B4_1 to the IPv4overIPv6 tunnel of B4_1.
After B4_1 receives the IPv6 message from AFTR, to this IPv6 message decapsulation, obtain the IPv4 response message of internal layer, be sent to the Client1 of connection.
So far, whole browsing process is completed.
But; in whole browsing process; usually can be with and serve potential safety hazard; such as assailant copys and issues AFTR from the channel message of B4; because tunnel adds decapsulation and NAT process all very consumption of natural resource; AFTR probably stops the process to normal message owing to receiving a large amount of false channel messages, defines DoS attack.
Summary of the invention
This application provides the DoS attack method and apparatus prevented in DS-Lite networking, to defend the DoS attack in DS-Lite networking.
The technical scheme that the application provides comprises:
Prevent the Dos attack method in DS-Lite networking, the method is applied to the NAT router AFTR in described DS-Lite networking, comprising:
Receive the IPv6 message that in described DS-Lite networking, basic bridge joint broadband elements B4 sends;
Judge the source IP address that whether there is described IPv6 message in the Trusted List set up, the source IP address of described IPv6 message is the IP address of described B4,
If so, decapsulation is carried out to described IPv6 message, obtain the IPv4 message of internal layer and send;
If not, identify whether described IPv6 message carries validation confirmation information, if not, generate an authorization information, this authorization information is carried at the IPv6 be associated with described IPv6 message to associate in message and return to described B4, generates validation confirmation information to make described B4 according to the authorization information received and be carried to associate with described IPv6 in IPv6 message that message is associated and return to described AFTR;
If so, described validation confirmation information is verified, when being proved to be successful, determine that described B4 is credible, the source IP address of described IPv6 message is added in described Trusted List.
Prevent the Dos attack method in DS-Lite networking, the method is applied to the basic bridge joint broadband elements B4 in described DS-Lite networking, and the method comprises:
Receive the IPv6 message that in described DS-Lite networking, NAT router AFTR sends;
Identify whether described IPv6 message carries authorization information;
If so, the authorization information of carrying according to described IPv6 message generates validation confirmation information, described validation confirmation information is carried in the IPv6 message be associated with described IPv6 message and sends to AFTR;
If not, then decapsulation is carried out to the IPv6 message received, obtain the IPv4 message of internal layer and send.
Prevent the Dos in DS-Lite networking from attacking a device, the NAT router AFTR of this application of installation in described DS-Lite networking, this device comprises:
Receiving element, for receiving the IPv6 message that in described DS-Lite networking, basic bridge joint broadband elements B4 sends;
Judging unit, for judging the source IP address that whether there is described IPv6 message in the Trusted List set up, the source IP address of described IPv6 message is the IP address of described B4;
Processing unit, for when the judged result of described judging unit is for being, carries out decapsulation to described IPv6 message, obtains the IPv4 message of internal layer and sends; And, for when the judged result of described judging unit is no, identifies whether described IPv6 message carries validation confirmation information, and recognition result is sent to authentication unit;
Authentication unit, during for being no at described recognition result, generate an authorization information, this authorization information is carried at the IPv6 be associated with described IPv6 message to associate in message and return to described B4, generate validation confirmation information to make described B4 according to the authorization information received and be carried to associate with described IPv6 in IPv6 message that message is associated and return to described AFTR, and, for when described recognition result is for being, described validation confirmation information is verified, when being proved to be successful, the source IP address of described IPv6 message is added in described Trusted List.
Prevent the Dos in DS-Lite networking from attacking a device, the basic bridge joint broadband elements B4 of this application of installation in described DS-Lite networking, this device comprises:
Receiving element, for receiving the IPv6 message that in described DS-Lite networking, NAT router AFTR sends;
Recognition unit, for identifying whether described IPv6 message carries authorization information;
Processing unit, for identify at described recognition unit described IPv6 message carry authorization information time, the authorization information of carrying according to described IPv6 message generates validation confirmation information, described validation confirmation information is carried in the IPv6 message be associated with described IPv6 message and sends to AFTR; And,
For identify at described recognition unit described IPv6 message do not carry authorization information time, to receive IPv6 message carry out decapsulation, obtain internal layer IPv4 message and send.
As can be seen from the above technical solutions, in the present invention, when AFTR receives the IPv6 message from B4, not directly this IPv6 message decapsulation is NAT and is forwarded, but by and B4 between the authenticity of message interaction to B4 verify, avoid AFTR to suffer DoS attack.
Accompanying drawing explanation
Fig. 1 is IPv4overIPv6 tunnel networking application schematic diagram;
Fig. 2 is DS-Lite networking application schematic diagram;
Fig. 3 is the schematic diagram of private network IPv4 host access public network IP v4 main frame in DS-Lite networking application;
The method flow diagram that Fig. 4 provides for the embodiment of the present invention;
The embodiment flow chart that Fig. 5 provides for the embodiment of the present invention;
The method that Fig. 6 provides for the embodiment of the present invention realizes schematic diagram;
The structure drawing of device that Fig. 7 provides for the embodiment of the present invention;
Another structure drawing of device that Fig. 8 provides for the embodiment of the present invention.
Embodiment
In order to make the object, technical solutions and advantages of the present invention clearly, describe the present invention below in conjunction with the drawings and specific embodiments.
Method provided by the invention is the process adding a B4 checking on the basis of standard DS-Lite agreement.Pass through the present invention, when AFTR receives the IPv6 message of B4 transmission, not directly this IPv6 message decapsulation is NAT and is forwarded, but first one-time authentication is carried out to the authenticity of this B4 by carrying out message interaction between B4, being only proved to be successful Shi Caihui to this IPv6 message decapsulation is NAT and forwards.
See the method flow diagram that Fig. 4, Fig. 4 provide for the embodiment of the present invention.This flow process is applied to the NAT router AFTR in described DS-Lite networking, and as shown in Figure 4, this flow process can comprise the following steps:
Step 401, receives the IPv6 message that in described DS-Lite networking, B4 sends.
Step 402, judge the source IP address that whether there is described IPv6 message in the Trusted List set up, the source IP address of described IPv6 message is the IP address of described B4, if so, performs step 403, if not, performs step 404.
Step 403, carries out decapsulation to described IPv6 message, obtains the IPv4 message of internal layer and sends.
Here, carry out decapsulation to IPv6 message, obtain the IPv4 message of internal layer and carry out decapsulation to IPv6 message after sending the IPv6 message that can receive from B4 according to existing AFTR and the mode sent performs, the present invention repeats no more.
Step 404, identify whether described IPv6 message carries validation confirmation information, if not, generate an authorization information, this authorization information is carried at the IPv6 be associated with described IPv6 message to associate in message and return to described B4, generates validation confirmation information to make described B4 according to the authorization information received and be carried to associate with described IPv6 in IPv6 message that message is associated and return to described AFTR; If so, described validation confirmation information being verified, when being proved to be successful, the source IP address of described IPv6 message being added in described Trusted List.
In the present invention, can have multiple way of realization when the IPv6 be associated associates message specific implementation with described IPv6 message, the present invention enumerates following two ways of realization:
Form 1:
This form 1 time, the IPv6 be associated with described IPv6 message associates message, and it is only the message obtained after exchanging mutually in source IP address and object IP address in described IPv6 message, and the internal layer IPv4 message content in the original message content sent by Client1 of carrying in described IPv6 message and described IPv6 message does not all change.
Can find out, adopt this form 1, can ensure that the original message content that Client1 sends and IPv4 message exist all the time between B4_1 and AFTR, therefore, AFTR there is no need this original message content of buffer memory, which save the storage resources of AFTR, make not take on AFTR any resource such as cache resources etc. before B4_1 is by checking.
Form 2:
This form 2 times, the IPv6 be associated with described IPv6 message associates message can not comprise original message content in described IPv6 message, but the new source IP address created be object IP address in described IPv6 message, object IP address is the IPv6 message of source IP address in described IPv6 message.
This form 2 times, in order to ensure follow-uply to send message smoothly after B4_1 is by checking, need the described IPv6 message that AFTR temporary cache receives in step 404.Compared to form 1, this form 2 can take the cache resources of AFTR before B4 is by checking.
For ease of reclaiming the occupied cache resources of AFTR in time, preferably, in the present invention, based on form 2, after B4_1 is by checking, can comprise further: decapsulation is carried out to the IPv6 message of buffer memory, obtain the IPv4 message of internal layer and send, and removing the described IPv6 message of buffer memory.
So far, the flow process shown in Fig. 4 is completed.
Below for above-mentioned form 1, flow process shown in Fig. 4 is described in detail:
Below by Fig. 5, the method that the embodiment of the present invention provides is described:
See the method flow diagram that Fig. 5, Fig. 5 provide for the embodiment of the present invention.The method is still for the DS-Lite networking shown in Fig. 2, and as shown in Figure 5, this flow process can comprise the following steps:
Step 501, when the Client1 that B4_1 connects needs access public network IP v4 main frame, Client1 first sends an IPv4 message to B4_1.
Step 502, when B4_1 receives the IPv4 message from Client1, for namely this IPv4 message encapsulation IPv6 head forms IPv6 message, the source IP address in this IPv6 head is the IP address of the B4_1 sending this IPv6 message.
Step 503, B4_1 sends IPv6 message to AFTR by the IPv4overIPv6 tunnel between AFTR.
Step 504, when AFTR receives the IPv6 message sent from B4, judges the source IP address that whether there is described IPv6 message in the Trusted List set up, if so, performs step 505, if not, perform step 506.
Step 505, carries out decapsulation to described IPv6 message, obtains the IPv4 message of internal layer and sends.
This step 505 judges to perform under the source IP address of IPv6 message is present in the prerequisite of Trusted List in step 504, due to the IP address that this source IP address essence is the B4_1 sending this IPv6 message, therefore, when the source IP address of this IPv6 message is present in Trusted List, then mean that the B4_1 sending this IPv6 message is believable, do not belong to assailant, based on this, directly can carry out decapsulation to this IPv6 message, obtain the IPv4 message of internal layer and send.Here, carry out decapsulation to IPv6 message, obtain the IPv4 message of internal layer and carry out decapsulation to IPv6 message after sending the IPv6 message that can receive from B4 according to existing AFTR and the mode sent performs, the present invention repeats no more.
Further, in the present invention, the IP address in Trusted List dynamically increases according to subsequent step 511, specifically sees step 511.
Step 506, identifies whether described IPv6 message carries validation confirmation information, if not, performs step 507, if so, performs step 511.
In the present invention, validation confirmation information is specifically hereafter being described.
Step 507, intersects source IP address and object IP address in described IPv6 message and gets a new IPv6 message in return, and generate an authorization information, the authorization information of this generation be carried in the IPv6 message newly obtained and return to described B4_1.
In the present invention, authorization information mainly depends on that the IP address of the mark such as B4_1 of B4_1 generates, and therefore, AFTR there is no need to preserve corresponding authorization information for B4_1, saves the storage resources of AFTR.
Preferably, for ensureing the authorization information safety of generation and being not easy to crack, in the present invention, AFTR periodically dynamically can generate random number and generate a random number in such as every 10 seconds, and based on this generating random number authorization information dynamically generated.Particularly, generate authorization information can comprise:
Identify the random number generated in current period;
The IP address of described random number, described B4, the IP address of this AFTR is utilized to carry out computing, using the result that obtains as described authorization information.
Here, utilize the IP address of described random number, described B4, mode the present invention that computing is carried out in the IP address of this AFTR specifically do not limit, such as, utilize MD5 algorithm, SHA-1 algorithm etc.
Step 508, when B4_1 receives the IPv6 message sent from AFTR, identifies whether the IPv6 message of this reception carries authorization information, if so, performs step 509, if not, performs step 510.
Compared to the operation that existing B4 performs, in the present invention, when B41 receives the IPv6 message sent from AFTR, directly this IPv6 message is not carried out decapsulation and forwarded, but first identify whether the IPv6 message of this reception carries authorization information, carry out respective handling according to recognition result, specifically see that step 509 is to step 510.
Step 509, the authorization information that B4_1 carries according to the IPv6 message of this reception generates validation confirmation information, and source IP address and object IP address in the IPv6 message of this reception are intersected get a new IPv6 message in return, the validation confirmation information of generation is carried in this new IPv6 message obtained and sends to AFTR.Return step 504 afterwards.
In this step 509, can comprise when described authorization information of carrying according to the IPv6 message received generates validation confirmation information specific implementation:
The authorization information of directly being carried by the IPv6 message of this reception is as validation confirmation information; Or,
Process according to the authorization information of carrying for the IPv6 message of mode to this reception generating validation confirmation information of consulting with AFTR before, the result obtained is as described validation confirmation information.
Step 510, carries out decapsulation to the IPv6 message received, and obtains the IPv4 message of internal layer and sends.
This step 510 can receive the processing mode after from the IPv6 message of AFTR according to existing B4 and perform, and repeats no more here.
Step 511, verifies, when being proved to be successful described validation confirmation information, the source IP address of described IPv6 message is added in described Trusted List, remove the validation confirmation information that described IPv6 message carries, and decapsulation is carried out to described IPv6 message, obtain the IPv4 message of internal layer and send.
In the present invention, AFTR verifies validation confirmation information and depends on the last authorization information sent to B4_1.Based on this, just need all authorization informations that the forward direction B4_1 of AFTR record sends, like this, under the prerequisite that B4 is many, just need all authorization informations that each B4 of the forward direction of AFTR record sends, the cache resources of AFTR can be taken in a large number.For this situation, based on above to the description how authorization information generates, the authorization information that the present invention no longer makes AFTR buffer memory send to each B4, but the random number directly generated in each cycle of buffer memory, so, carry out checking to validation confirmation information in above-mentioned steps 511 to be specially:
The authorization information of directly being carried by the IPv6 message of this reception at B4_1 is under validation confirmation information, AFTR utilize generate in current period random number, send the IP address of the B4_1 of described validation confirmation information, the IP address of this AFTR and carry out computing, judge that whether the operation result obtained is consistent with validation confirmation information, if, then illustrate that validation confirmation information passes through certification, otherwise
Utilize and send the IP address of described validation confirmation information, the IP address of this AFTR, the random number that generates at least one closer with distance current period respectively cycle carry out computing, relatively whether have in each operation result one consistent with validation confirmation information, if, then illustrate that validation confirmation information passes through certification, otherwise, illustrate that validation confirmation information does not pass through certification.Wherein, here why utilize the IP address of the B4_1 sending described validation confirmation information, this AFTR IP address, respectively carry out with the random number that generates in distance current period closer at least one cycle computing object be exactly avoid before the authorization information that sends and currently receive validation confirmation information not within the cycle generating same random number, this can improve the accuracy of checking.
Certainly, process according to the authorization information of carrying for the IPv6 message of mode to this reception generating validation confirmation information of consulting with AFTR before at B4_1, the result obtained is as under validation confirmation information, AFTR utilizes the random number generated in current period, send the IP address of the B4_1 of described validation confirmation information, computing is carried out in the IP address of this AFTR, according to processing this operation result for the mode generating validation confirmation information of consulting with AFTR before, whether unanimously with validation confirmation information judge to process the result obtained, if, then illustrate that validation confirmation information passes through certification, otherwise,
The IP address of B4_1, the IP address of this AFTR, the random number that generates at least one closer with distance current period respectively cycle sending described validation confirmation information is utilized to carry out computing, afterwards according to processing each operation result for the mode generating validation confirmation information of consulting with AFTR before, relatively whether have in each result one consistent with validation confirmation information, if, then illustrate that validation confirmation information passes through certification, otherwise, illustrate that validation confirmation information does not pass through certification.Wherein, here why utilize send described validation confirmation information IP address, this AFTR IP address, respectively carry out with the random number that generates in distance current period closer at least one cycle computing object be exactly avoid before the authorization information that sends and currently receive validation confirmation information not within the cycle generating same random number, this can improve the accuracy of checking.
Here, the validation confirmation information in described IPv6 message is proved to be successful, and also just means that the authenticity of the B4_1 sending this IPv6 message is believable.
In addition, in this step 511, carry out decapsulation to described IPv6 message, obtain the IPv4 message of internal layer and send and can receive the execution of the processing mode after from the IPv6 message of B4 according to existing AFTR, the present invention does not repeat.
So far, the flow process shown in Fig. 5 is completed.For the ease of understanding flow process shown in Fig. 5, Fig. 6 shows the message switching between Client1, B4_1, AFTR and public network IP v4 main frame.
Preferably, in the present invention, authorization information and validation confirmation information are all be carried on by DS-Lite verification option in IPv6 object option (the nextheader territory value now, in IPv6 message the is 60) extension header in IPv6 message.According to the regulation of IPv6 agreement, IPv6 object option extension head only just can check when message arrives object, and in the present invention, the object of the IPv6 message that AFTR receives is AFTR itself, and the object of the IPv6 message that B4 receives also is B4 itself, therefore, use this IPv6 object option extension most suitable.Certainly, as embodiments of the invention, DS-Lite verification option also can be carried on other positions of extension header or the IPv6 message created separately, and the present invention does not specifically limit.
Be carried in IPv6 object option extension head for DS-Lite verification option, then, in above-mentioned steps 507, the described authorization information by calculating is carried at the IPv6 be associated with described IPv6 message and associates in message and return to described B4_1 and comprise:
Identify that described IPv6 associates message and whether there is IPv6 object option extension head,
If so, in described IPv6 object option extension head, add DS-Lite verification option, the authorization information of calculating inserted to described DS-Lite verification option, return this IPv6 afterwards and associate message to described B4_1,
If not, create an IPv6 object option extension head, the IPv6 object option extension head of establishment is inserted into described IPv6 and associates message, DS-Lite verification option is added in described IPv6 object option extension head, the authorization information of calculating is inserted to described DS-Lite verification option, returns this IPv6 afterwards and associate message to described B41.Equally, in above-mentioned steps 509, described validation confirmation information is carried in a new IPv6 message and sends to the principle of AFTR similar by B4_1, repeats no more here.
Still be carried in IPv6 object option extension head for DS-Lite verification option, in step 506, identify whether described IPv6 message carries validation confirmation information and comprise:
Identify whether described IPv6 message exists IPv6 object option extension head,
If, identify in described IPv6 object option extension head whether there is the DS-Lite verification option having inserted described validation confirmation information, if so, determine that described IPv6 message carries validation confirmation information, if not, determine that described IPv6 report does not carry validation confirmation information;
If not, determine that described IPv6 report does not carry validation confirmation information.
So far, complete method provided by the invention to describe.
Below device provided by the invention is described:
See the structure drawing of device that Fig. 7, Fig. 7 provide for the embodiment of the present invention.Wherein, the NAT router AFTR of this application of installation in described DS-Lite networking, as shown in Figure 7, this device comprises:
Receiving element, for receiving the IPv6 message that in described DS-Lite networking, basic bridge joint broadband elements B4 sends;
Judging unit, for judging the source IP address that whether there is described IPv6 message in the Trusted List set up, the source IP address of described IPv6 message is the IP address of described B4;
Processing unit, for when the judged result of described judging unit is for being, carries out decapsulation to described IPv6 message, obtains the IPv4 message of internal layer and sends; And, for when the judged result of described judging unit is no, identifies whether described IPv6 message carries validation confirmation information, and recognition result is sent to authentication unit;
Authentication unit, during for being no at described recognition result, generate an authorization information, this authorization information is carried at the IPv6 be associated with described IPv6 message to associate in message and return to described B4, generate validation confirmation information to make described B4 according to the authorization information received and be carried to associate with described IPv6 in IPv6 message that message is associated and return to described AFTR, and, for when described recognition result is for being, described validation confirmation information is verified, when being proved to be successful, the source IP address of described IPv6 message is added in described Trusted List.
In the present invention, preferably, the described IPv6 be associated with IPv6 message associates message is the message that in described IPv6 message, source IP address and object IP address obtain after exchanging mutually.
In the present invention, describedly associate the IPv6 message that message is associated with IPv6 and be: described IPv6 associates the message that in message, source IP address and object IP address obtain after exchanging mutually; Based on this, described authentication unit further transmission processing after adding in described Trusted List by the source IP address of IPv6 message informs to described processing unit;
Described processing unit when receiving described process notice, being removed the validation confirmation information that described IPv6 message carries, and being carried out decapsulation to described IPv6 message further, obtains the IPv4 message of internal layer and sends.
In the present invention, described authentication unit periodically generates random number further; Based on the random number that this periodically generates, then the processing procedure that described authentication unit calculates an authorization information can comprise:
Identify the random number generated in current period;
The IP address of described random number, described B4, the IP address of this AFTR is utilized to carry out computing, using the result that obtains as described authorization information.
In the present invention, the authorization information of calculating is carried at the IPv6 be associated with described IPv6 message and associates in message the processing procedure returning to described B4 and can comprise by described authentication unit:
Identify that described IPv6 associates message and whether there is IPv6 object option extension head,
If so, in described IPv6 object option extension head, add DS-Lite verification option, the authorization information of calculating inserted to described DS-Lite verification option, return this IPv6 afterwards and associate message to described B4,
If not, create an IPv6 object option extension head, the IPv6 object option extension head of establishment is inserted into described IPv6 and associates message, DS-Lite verification option is added in described IPv6 object option extension head, the authorization information of calculating is inserted to described DS-Lite verification option, returns this IPv6 afterwards and associate message to described B4.
In the present invention, the processing procedure whether IPv6 message described in described processing unit identification carries validation confirmation information can comprise:
Identify whether described IPv6 message exists IPv6 object option extension head,
If, identify in described IPv6 object option extension head whether there is the DS-Lite verification option having inserted described validation confirmation information, if so, determine that described IPv6 message carries validation confirmation information, if not, determine that described IPv6 report does not carry validation confirmation information;
If not, determine that described IPv6 report does not carry validation confirmation information.
So far, the device shown in Fig. 7 is completed.
Preferably, present invention also offers another apparatus structure.See another structure drawing of device that Fig. 8, Fig. 8 provide for the embodiment of the present invention.Wherein, the B4 of this application of installation in described DS-Lite networking, as shown in Figure 8, this device comprises:
Receiving element, for receiving the IPv6 message that in described DS-Lite networking, NAT router AFTR sends;
Recognition unit, for identifying whether described IPv6 message carries authorization information;
Processing unit, for identify at described recognition unit described IPv6 message carry authorization information time, the authorization information of carrying according to described IPv6 message generates validation confirmation information, described validation confirmation information is carried in the IPv6 message be associated with described IPv6 message and sends to AFTR; And,
For identify at described recognition unit described IPv6 message do not carry authorization information time, to receive IPv6 message carry out decapsulation, obtain internal layer IPv4 message and send.
Preferably, in the present invention, described validation confirmation information is carried in the IPv6 message be associated with described IPv6 message and sends to AFTR to comprise by described processing unit:
Source IP address and object IP address in the IPv6 message of reception are intersected the IPv6 message that the message got in return is defined as being associated with the IPv6 message received;
Described validation confirmation information is carried in the IPv6 message determined and sends to AFTR.
So far, the structure drawing of device shown in Fig. 8 is completed.
As can be seen from the above technical solutions, in the present invention, when AFTR receives the IPv6 message from B4, not directly this IPv6 message decapsulation is NAT and is forwarded, but verified by the authenticity of the message interaction between AFTR and B4 to B4, avoid AFTR to suffer DoS attack;
Further, in the present invention, when verifying B4 authenticity, in the original message content that Client sends, insert authorization information, this can reduce the resource consumption that AFTR verifies B4 authenticity to greatest extent, and performance is high, reliability is strong.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (13)
1. prevent the DoS attack method in two stack reduction techniques DS-Lite networking, the method is applied to the NAT router AFTR in described DS-Lite networking, and it is characterized in that, the method comprises:
Receive the IPv6 message that in described DS-Lite networking, basic bridge joint broadband elements B4 sends;
Judge the source IP address that whether there is described IPv6 message in the Trusted List set up, the source IP address of described IPv6 message is the IP address of described B4,
If so, decapsulation is carried out to described IPv6 message, obtain the IPv4 message of internal layer and send;
If not,
Identify whether described IPv6 message carries validation confirmation information, if not, generate an authorization information, this authorization information is carried at the IPv6 be associated with described IPv6 message to associate in message and return to described B4, generate validation confirmation information to make described B4 according to the authorization information received and be carried to associate with described IPv6 in IPv6 message that message is associated and return to described AFTR, if, described validation confirmation information is verified, when being proved to be successful, the source IP address of described IPv6 message is added in described Trusted List.
2. method according to claim 1, is characterized in that, the described IPv6 be associated with IPv6 message associates message and is:
The message that in described IPv6 message, source IP address obtains after exchanging mutually with object IP address.
3. method according to claim 2, is characterized in that, describedly associates the IPv6 message that message is associated with IPv6 and is: described IPv6 associates the message that in message, source IP address and object IP address obtain after exchanging mutually;
After adding in described Trusted List by the source IP address of IPv6 message, the method comprises further:
Remove the validation confirmation information that described IPv6 message carries, and decapsulation is carried out to described IPv6 message, obtain the IPv4 message of internal layer and send.
4. method according to claim 1, is characterized in that, the method comprises further: periodically generate random number;
Described generation authorization information comprises:
Identify the random number generated in current period;
Utilize the IP address of this AFTR, described random number, described IPv6 message source IP address carry out computing, using the result that obtains as described authorization information.
5. according to the arbitrary described method of Claims 1-4, it is characterized in that, described authorization information is carried at IPv6 and associates in the IPv6 object option extension head of message or be carried at IPv6 and associate in the extension header that newly increases of message or be carried in other positions of IPv6 message;
Described validation confirmation information is carried in the IPv6 object option extension head of IPv6 message or in being carried at extension header that IPv6 message newly increases or be carried in other positions of IPv6 message.
6. prevent the Dos attack method in two stack reduction techniques DS-Lite networking, the method is applied to the basic bridge joint broadband elements B4 in described DS-Lite networking, and it is characterized in that, the method comprises:
Receive the IPv6 message that in described DS-Lite networking, NAT router AFTR sends;
Identify whether described IPv6 message carries authorization information;
If so, the authorization information of carrying according to described IPv6 message generates validation confirmation information, described validation confirmation information is carried in the IPv6 message be associated with described IPv6 message and sends to AFTR;
If not, then decapsulation is carried out to the IPv6 message received, obtain the IPv4 message of internal layer and send.
7. method according to claim 6, is characterized in that, described authorization information of carrying according to IPv6 message generates validation confirmation information and comprises:
The authorization information of directly being carried by described IPv6 message is as validation confirmation information; Or,
According to processing the authorization information that described IPv6 message carries for the mode generating validation confirmation information of consulting with AFTR before, the result obtained is as described validation confirmation information.
8. the method according to claim 6 or 7, is characterized in that, described validation confirmation information being carried in the IPv6 message be associated with described IPv6 message sends to AFTR to comprise:
Source IP address and object IP address in the IPv6 message of reception are intersected the IPv6 message that the message got in return is defined as being associated with the IPv6 message received;
Described validation confirmation information is carried in the IPv6 message determined and sends to AFTR.
9. prevent the Dos in two stack reduction techniques DS-Lite networking from attacking a device, the NAT router AFTR of this application of installation in described DS-Lite networking, it is characterized in that, this device comprises:
Receiving element, for receiving the IPv6 message that in described DS-Lite networking, basic bridge joint broadband elements B4 sends;
Judging unit, for judging the source IP address that whether there is described IPv6 message in the Trusted List set up, the source IP address of described IPv6 message is the IP address of described B4;
Processing unit, for when the judged result of described judging unit is for being, carries out decapsulation to described IPv6 message, obtains the IPv4 message of internal layer and sends; And, for when the judged result of described judging unit is no, identifies whether described IPv6 message carries validation confirmation information, and recognition result is sent to authentication unit;
Authentication unit, during for being no at described recognition result, generate an authorization information, this authorization information is carried at the IPv6 be associated with described IPv6 message to associate in message and return to described B4, generate validation confirmation information to make described B4 according to the authorization information received and be carried to associate with described IPv6 in IPv6 message that message is associated and return to described AFTR, and, for when described recognition result is for being, described validation confirmation information is verified, when being proved to be successful, the source IP address of described IPv6 message is added in described Trusted List.
10. device according to claim 9, is characterized in that, it is the message that in described IPv6 message, source IP address and object IP address obtain after exchanging mutually that the described IPv6 be associated with IPv6 message associates message.
11. devices according to claim 10, is characterized in that, describedly associate the IPv6 message that message is associated with IPv6 and are: described IPv6 associates the message that in message, source IP address and object IP address obtain after exchanging mutually;
Described authentication unit further transmission processing after adding in described Trusted List by the source IP address of IPv6 message informs to described processing unit;
Described processing unit when receiving described process notice, being removed the validation confirmation information that described IPv6 message carries, and being carried out decapsulation to described IPv6 message further, obtains the IPv4 message of internal layer and sends.
12. 1 kinds prevent the Dos in two stack reduction techniques DS-Lite networking from attacking device, the basic bridge joint broadband elements B4 of this application of installation in described DS-Lite networking, and it is characterized in that, this device comprises:
Receiving element, for receiving the IPv6 message that in described DS-Lite networking, NAT router AFTR sends;
Recognition unit, for identifying whether described IPv6 message carries authorization information;
Processing unit, for identify at described recognition unit described IPv6 message carry authorization information time, the authorization information of carrying according to described IPv6 message generates validation confirmation information, described validation confirmation information is carried in the IPv6 message be associated with described IPv6 message and sends to AFTR; And,
For identify at described recognition unit described IPv6 message do not carry authorization information time, to receive IPv6 message carry out decapsulation, obtain internal layer IPv4 message and send.
13. devices according to claim 12, is characterized in that, described validation confirmation information is carried in the IPv6 message be associated with described IPv6 message and sends to AFTR to comprise by described processing unit:
Source IP address and object IP address in the IPv6 message of reception are intersected the IPv6 message that the message got in return is defined as being associated with the IPv6 message received;
Described validation confirmation information is carried in the IPv6 message determined and sends to AFTR.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310026178.9A CN103067411B (en) | 2013-01-23 | 2013-01-23 | Prevent the DoS attack method and apparatus in DS-Lite networking |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310026178.9A CN103067411B (en) | 2013-01-23 | 2013-01-23 | Prevent the DoS attack method and apparatus in DS-Lite networking |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103067411A CN103067411A (en) | 2013-04-24 |
| CN103067411B true CN103067411B (en) | 2016-03-30 |
Family
ID=48109870
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310026178.9A Active CN103067411B (en) | 2013-01-23 | 2013-01-23 | Prevent the DoS attack method and apparatus in DS-Lite networking |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103067411B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103825763B (en) * | 2014-02-26 | 2018-01-05 | 中国联合网络通信集团有限公司 | The method and system that a kind of user traces to the source |
| CN104363176A (en) * | 2014-10-24 | 2015-02-18 | 杭州华三通信技术有限公司 | Message control method and equipment |
| CN104333561A (en) * | 2014-11-21 | 2015-02-04 | 迈普通信技术股份有限公司 | Tunnel certification method and device |
| CN104639414B (en) * | 2015-01-30 | 2018-05-08 | 新华三技术有限公司 | A kind of message forwarding method and equipment |
| CN107995113B (en) * | 2017-11-16 | 2020-12-25 | 新华三技术有限公司 | Path establishing method and device |
| CN115834090A (en) * | 2021-09-15 | 2023-03-21 | 华为技术有限公司 | Communication method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101697550A (en) * | 2009-10-30 | 2010-04-21 | 北京星网锐捷网络技术有限公司 | Method and system for controlling access authority of double-protocol-stack network |
| CN101977250A (en) * | 2010-10-29 | 2011-02-16 | 清华大学 | Tunnel selection method in optimization of visit between hosts under edge network double stack access |
| CN102377628A (en) * | 2010-08-12 | 2012-03-14 | 杭州华三通信技术有限公司 | Method for establishing DS-Lite tunnel and DS-Lite CGN |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8817816B2 (en) * | 2011-02-28 | 2014-08-26 | Futurwei Technologies, Inc. | Multicast support for dual stack-lite and internet protocol version six rapid deployment on internet protocol version four infrastructures |
-
2013
- 2013-01-23 CN CN201310026178.9A patent/CN103067411B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101697550A (en) * | 2009-10-30 | 2010-04-21 | 北京星网锐捷网络技术有限公司 | Method and system for controlling access authority of double-protocol-stack network |
| CN102377628A (en) * | 2010-08-12 | 2012-03-14 | 杭州华三通信技术有限公司 | Method for establishing DS-Lite tunnel and DS-Lite CGN |
| CN101977250A (en) * | 2010-10-29 | 2011-02-16 | 清华大学 | Tunnel selection method in optimization of visit between hosts under edge network double stack access |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103067411A (en) | 2013-04-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103067411B (en) | Prevent the DoS attack method and apparatus in DS-Lite networking | |
| CN101848085B (en) | Communication system, verification device, and verification and signature method for message identity | |
| CN105009509A (en) | Augmenting name/prefix based routing protocols with trust anchor in information-centric networks | |
| US11418951B2 (en) | Method for identifying encrypted data stream, device, storage medium and system | |
| JP2018528679A (en) | Device and method for establishing a connection in a load balancing system | |
| EP2680507B1 (en) | Packet forwarding method and system, and relay agent device | |
| CN102970386B (en) | A kind of IPv6 of realization message passes through the method and apparatus of IPv4 network | |
| CN101834864B (en) | Method and device for preventing attack in three-layer virtual private network | |
| CN115189913B (en) | Data message transmission method and device | |
| CN102137073B (en) | Method and access equipment for preventing imitating internet protocol (IP) address to attack | |
| CN104601566A (en) | Authentication method and device | |
| CN105207778A (en) | Method of realizing package identity identification and digital signature on access gateway equipment | |
| CN104580553A (en) | Identification method and device for network address translation device | |
| CN103391226B (en) | A kind of ppp link detects maintaining method and system | |
| CN107342964A (en) | A kind of message parsing method and equipment | |
| CN102025641B (en) | Message filtering method and exchange equipment | |
| CN102546429A (en) | Method and system for authenticating intra-site automatic tunnel addressing protocol (ISATAP) tunnels based on dynamic host configuration protocol (DHCP) monitoring | |
| CN101499903B (en) | Method, apparatus, system, customer node, peer node and convergent point for preventing node forged identity | |
| CN101945053B (en) | Method and device for transmitting message | |
| CN106685979A (en) | Security terminal identifier based on STiP model and authentication method and system | |
| CN108965309B (en) | Data transmission processing method, device, system and equipment | |
| CN106878291B (en) | Message processing method and device based on prefix safety table entry | |
| CN100556027C (en) | A kind of address renewing method of IKE Network Based | |
| CN105282102A (en) | Data stream processing method and system, and IPv6 data processing equipment | |
| CN105592054B (en) | A kind for the treatment of method and apparatus of LSP message |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230627 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |